Hi all -
I am working on transitioning our test galaxy -> production and this is
how I have decided to handle unix & galaxy users.
I have two groups created on our cluster. 1) galaxyadmin and 2)
galaxyusers. galaxyadmin is a subset of galaxyusers.
We have authentication occurring in an apache front to our campus
id/passwd. I then place the campus id as well as campus email in the
request header during the proxy to galaxy. The email is used as the
galaxy id.
I have augmented galaxy code such that when a new user logs onto galaxy
and galaxy auto-creates the galaxy account, it also kicks off scripts that
configure the unix account. It creates a new unix account if it does not
exist (group galaxyusers), otherwise will augment the existing user's
default group (keeping all other group relationships) to be galaxyusers.
I have installed the latest version of openSSH. I have prevented all
galaxyusers from sshing into the box, and instead set up a sftp jail. The
sftp jail directory is not the user's home directory. The sshd_config
also allows me to specify a sftp umask, so when a user puts a file into
their sftp jail, it will be readable/writeable to anyone in the
galaxyusers group (note the jail and preventing ssh does not expose the
files to any other users).
As part of the scripts that get kicked off in galaxy to create/mod a user
- I also create the necessary ftp links to galaxy. I create a symlink
from galaxy's ftp directory with the galaxy user id (email) to the user's
jailed sftp directory (username). This allows galaxy runtime to import
without problems since the files are galaxyusers group read/writeable.
My galaxy runs under a galaxy userid (not root) but I have augmented the
sudoers file to allow for just that id to have access to specific commands
in order to adjust useraccounts.
This has been all working in our production prototype testing and we will
be having a security review on it shortly - but it should be sound.
Hope this helps!
>
>Message: 11
>Date: Mon, 30 Jan 2012 09:31:15 -0500
>From: David Hoover <hooverdm(a)helix.nih.gov>
>To: Sarah Maman <sarah.maman(a)toulouse.inra.fr>
>Cc: galaxy-dev(a)lists.bx.psu.edu
>Subject: Re: [galaxy-dev] Unix user account/connection and Galaxy
> connection
>Message-ID: <A0EE343C-C9F5-4039-B684-DD370FB2FDA4(a)helix.nih.gov>
>Content-Type: text/plain; charset="us-ascii"
>
>I'd love to know answers to this question as well. So far, all I've done
>is create two tools for copying files between Galaxy and a user's
>personal directories using a rather dangerous setuid executable.
>
>I have mulled over two possibilities for this problem. One is to run
>Galaxy as root. The other is for each user to kick off their own
>personal instance of Galaxy as themselves, but accessing the same main
>database and file repository. The latter would require all files be
>read-write accesible to all users. Neither is good.
>
>On Jan 30, 2012, at 4:29 AM, Sarah Maman wrote:
>
>> Dear all,
>>
>> There is currently no link between an user ssh connection on his own
>>account (own space on Unix) and the Galaxy connection.
>> How to run Galaxy on an Unix user account? How to link the data storage
>>system and the Unix user account (symlink?)?
>>
>> The goal is to not need to copy or move data.
>>
>>
>> PS : Thanks a lot to David, Gordon, Brad, Christophe and Nate for your
>>help on LDAP authentification.
>> I always try to find a solution (Apache configuration). I will inform
>>Galaxy list when I will find a solution.
>>
>>
>> Thanks in advance,
>>
>> Sarah
>
>
>
>
>
>******************************************